SUMMARY Popular doughnut chain Krispy Kreme has become the latest victim of a cyber attack. The incident, which…

****SUMMARY****

*   **Cyberattack Reported:** Krispy Kreme faced a cyberattack on November 29, 2024, disrupting online orders in the U.S.
*   **Operations Impact:** In-store sales and deliveries remained unaffected despite the breach.
*   **Quick Response:** The company collaborated with cybersecurity experts to investigate and contain the issue.
*   **Broader Context:** The attack follows recent cyber incidents affecting supply chains, like Blue Yonder’s breach impacting Starbucks.
*   **Expert Warning:** Cybersecurity threats highlight risks to operations, finances, and customer trust, urging stronger digital protections.

Popular doughnut chain Krispy Kreme has become the latest victim of a cyber attack. The incident, which was reported to the Securities and Exchange Commission (SEC) on November 29, 2024, has disrupted certain operations, including online ordering in the United States.

The attack comes in the wake of the November 21st cyberattack on Blue Yonder, a leading supply chain management software provider, which disrupted Starbucks operations as the coffee giant relies on its services.

****What Happened?****

According to the SEC filing, unauthorized activity was detected on a _“_portion_“_ of Krispy Kreme’s information technology systems. The company acted quickly, working with leading cybersecurity experts to investigate, contain, and mitigate the incident.

While Krispy Kreme shops around the world remain open, and customers can still place orders in person, the cyber attack has caused disruptions to online ordering in parts of the US. The company’s daily fresh deliveries to retail and restaurant partners, however, remain uninterrupted.

Krispy Kreme, working alongside its cybersecurity team, is actively working to resolve the situation and restore full online ordering capabilities. Federal law enforcement has also been informed about the attack.

****Expert Opinion****

“This seems like a targeted attack, happening during a time when Krispy Kreme is likely very busy,” said William Wright, CEO of Closed Door Security. “With online sales affected, customers might go somewhere else for their treats.”

Wright pointed out that while the incident mainly affected online sales, it could have been much worse. “If the attackers had gotten into Krispy Kreme’s production systems, they could have stopped doughnut production entirely,” he added.

Alberto Farronato, VP of Marketing at Oasis Security, a New York City-based provider of Non-Human Identity Management (NIM) solutions, has shared his insights on the Krispy Kreme breach. Farronato notes that the incident highlights how cybersecurity threats can have far-reaching consequences, affecting not just a company’s operations but also its customers.

“The ripple effect of a breach can be significant, leading to operational disruptions, financial losses, and a loss of customer trust,” he said. “This is a wake-up call for businesses to reexamine their approach to identity security, recognizing that the threat is not limited to human users, but also to the digital identities that power their systems.”

Farronato emphasizes that once a system is breached, it can become a doorway for attackers to gain unauthorized access to critical systems and data. As organizations become increasingly reliant on interconnected technology, it’s essential to take a proactive approach to identity security.

1.  **Aussie Food Giant Patties Foods Leaks Trove of Data**
2.  **Chowbus food delivery service suffers breach; data stolen**
3.  **FBI warns of ransomware attacks on Food, Agriculture sectors**
4.  **Dunkin Donuts Perks loyalty data breach: Change your password**
5.  **Hacker Claims Cisco Breach, Selling Stolen Data from Major Firms**

Krispy Kreme Cyber Attack Disrupted Online Ordering in the US

SUMMARY Cybersecurity researchers at Oasis Security have identified a vulnerability in Microsoft’s Multi-Factor Authentication (MFA), known as AuthQuake,…

****SUMMARY****

*   **Dubbed AuthQuake; the flaw in Microsoft MFA allowed attackers to bypass security measures and access accounts.**

*   **Vulnerability impacted Azure, Office 365, and other Microsoft services with over 400 million users at risk.**

*   **Exploit leveraged the lack of rate limiting and extended validity of TOTP codes for login sessions.**

*   **Attackers could bypass MFA in under 70 minutes with a 50% success rate without user interaction.**

*   **Microsoft patched the flaw permanently on October 9, 2024, with stricter rate-limiting mechanisms.**

Cybersecurity researchers at Oasis Security have identified a vulnerability in Microsoft’s Multi-Factor Authentication (MFA), known as AuthQuake, which allows attackers to bypass security measures and gain unauthorized access to user accounts. 

With over 400 million paid Office 365 subscriptions, the vulnerability could be a highly lucrative opportunity for cyber criminals to steal sensitive information such as emails, files, and communications across Microsoft’s platforms like Outlook, OneDrive, Teams, Azure, etc.

****Exploiting Rate Limit and Time-Based One-Time Password (TOTP)****

The exploit takes advantage of two key weaknesses in the MFA setup: Lack of Rate Limiting and Extended Timeframe for TOTP Codes. When users log in, they’re assigned a session ID and asked to verify their identity using a Time-Based One-Time Password (TOTP) from an authenticator app. The problem is that the system permits up to 10 failed login attempts per session without notifying the user or triggering any alerts.

The lack of rate limiting allows attackers to quickly create new login sessions and trial multiple TOTP codes, which are essentially six-digit numbers. Given that there are a million possible combinations for these codes, an attacker could theoretically exhaust all options without encountering any security measures.

On the other hand, TOTP codes are typically valid for only 30 seconds, the testing conducted by Oasis revealed that the system allowed codes to remain valid for up to 3 minutes. This extended time frame significantly increases the chances of success for an attacker attempting to guess the correct code.

****Result?****

According to Oasis Security’s **blog post** shared with Hackread.com ahead of its publishing on Wednesday, December 11, researchers concluded that attackers could bypass MFA in under 70 minutes with a 50% success rate, all without any user interaction or alerts. Here’s a demonstration the researchers created while testing the exploit themselves:

****Microsoft’s Response****

Oasis Security reported the incident to **Microsoft**. The tech giant was quick to respond and implemented a permanent fix on October 9, 2024, after a temporary fix was deployed on July 4, 2024. The fix involved introducing stricter rate limits that activate after a number of failed attempts, lasting for about half a day.

**Jason Soroko**, Senior Fellow at Sectigo, emphasizes the broader implications of this discovery stating, _“_AuthQuake highlights significant flaws in Microsoft’s MFA implementation. It’s a wake-up call for organizations to adopt patches and reconsider their reliance on outdated MFA solutions. The move towards passwordless authentication is not just a trend but a necessity for future-proofing our security measures._“_

****Lesson for Users and Companies****

While the specific flaw has been patched, organizations should inform employees about the importance of cybersecurity and encourage them to report any suspicious login attempts. Moreover, despite the recent issues, MFA remains a critical security measure therefore, use authenticator apps or explore stronger **passwordless methods** for added protection.

1.  **Microsoft Bookings Flaw Enables Account Hijacking**
2.  **Mirai botnet exploiting Azure OMIGOD vulnerabilities**
3.  **Hackers Use Excel Files to Deliver Remcos RAT Variant**
4.  **Azure AI Flaws Lets Attacks Bypass Moderation Safeguards**
5.  **Microsoft Azure Exploited to Create Undetectable Cryptominer**

AuthQuake Flaw Allowed MFA Bypass Across Azure, Office 365 Accounts

SUMMARY Cybersecurity researchers at Group-IB have exposed an ongoing phishing operation that has been targeting employees and associates from…

****SUMMARY****

*   A sophisticated phishing campaign is targeting employees of 30+ companies across 12 industries worldwide.

*   Over 200 malicious links have been distributed, designed to steal user login credentials.

*   Attackers use trusted domains, dynamic company branding, and document platform impersonation to evade detection and trick users.

*   Stolen credentials are sent to attackers in real time via C2 servers or Telegram bots.

*   Organizations are urged to implement multi-factor authentication, train employees, and use advanced email filtering systems to protect against such attacks.

Cybersecurity researchers at Group-IB have exposed an ongoing phishing operation that has been targeting employees and associates from over 30 companies across 12 industries and 15 jurisdictions.

So far, the campaign has successfully distributed over 200 malicious links designed to steal login credentials. The industries targeted in this phishing operation include the following:

*   Energy
*   Fashion
*   Finance
*   Aerospace
*   Manufacturing
*   Telecommunications
*   Government sectors

Countries and industries targeted in the campaign (Via Group-IB)

What makes this campaign dangerous is the use of advanced techniques designed to bypass Secure Email Gateways (SEGs) and evade detection. In particular, the attackers are using three main techniques to bypass email security:

*   Trusted Domain Abuse
*   Dynamic Company Branding
*   Document Platform Impersonation

In the trusted domain abuse tactic, attackers embed malicious URLs within legitimate services like Adobe.com and Google AMP, making it harder for security tools to detect. In document platform impersonation, fake DocuSign and Adobe notifications are used to lure users into clicking links for what seem to be important documents.

Meanwhile, with dynamic company branding, phishing pages cleverly display the victim’s company logo and branding by pulling them directly from legitimate websites. It’s important to note that DocuSign has long been a target for cybercriminals to deliver malicious documents. While the platform works diligently to combat scammers, the abuse of its API has become a significant challenge in recent years.

Last month, a report revealed a staggering 98% increase in DocuSign phishing scams, including impersonation attempts and aggressive phishing attacks targeting the United States government.

In the ongoing attack, much like the previous campaign, users who click the malicious links are directed to convincing login pages that are pre-filled with their email addresses. Once credentials are entered, the data is sent to the attackers through either Command-and-Control (C2) servers or Telegram bots, giving them real-time access to the stolen information.

“The Telegram bot’s history log revealed that the collected credentials were not limited to a single company. Instead, they spanned a wide range of business email addresses belonging to various brands and countries, all impacted by an ongoing email phishing campaign,” Group-IB wrote in a blog post shared with Hackread.com heard of its publishing on Wednesday.

****Protecting Against Email-Based Attacks****

This campaign is ongoing therefore, companies need to watch out for what comes to their inbox. To stay protected, organizations should:

*   Enable multi-factor authentication for an added layer of security.
*   Train employees to verify unexpected document requests before taking action.
*   Implement advanced email filtering systems to detect and block threats.
*   Regularly monitor accounts for unauthorized access to quickly identify and address breaches.

1.  **EvilProxy Phishing Kit Hits 100+ Firms, Bypasses MFA**
2.  **99% of UAE’s .ae Domains Exposed to Phishing and Spoofing**
3.  **Black Basta Uses MS Teams, Email Bombing to Spread Malware**
4.  **Hackers Hit Job Seekers with AppLite Trojan with Fake Job Emails**
5.  **Phishers Impersonating Police Arrested in Multi-Million Euro Scam**

Global Ongoing Phishing Campaign Targets Employees Across 12 Industries

SUMMARY Cybersecurity researchers at Deep Instinct have uncovered a novel and powerful Distributed Component Object Model (DCOM) based…

****SUMMARY****

*   **The new DCOM attack leverages Windows Installer service for stealthy backdoor deployment.**

*   **Attack exploits the IMsiServer interface for remote code execution and persistence.**

*   **Malicious DLLs are remotely written, loaded, and executed to compromise systems.**

*   **It requires the attacker and victim to be within the same domain, limiting the scope.**

*   **Consistent DCOM hardening patches can mitigate attack effectiveness.**

Cybersecurity researchers at Deep Instinct have uncovered a novel and powerful Distributed Component Object Model (DCOM) based lateral movement attack method that enables attackers to stealthily deploy backdoors on target Windows systems.

The attack exploits the Windows Installer service to remotely write custom DLLs, load them into an active service, and execute them with arbitrary parameters. For context, a DLL (Dynamic Link Library) is a Windows file that contains code, data, and resources shared by multiple programs.

The attack, detailed in Deep Instinct’s technical blog and shared with Hackread.com, exploits the IMsiServer COM interface. By reversing its internals, attackers can manipulate its functions to achieve remote code execution, bypass traditional security controls and establish persistent footholds on compromised systems.

For your information, DCOM Lateral Movement is a technique used to move sideways within a network by exploiting vulnerabilities in DCOM, which allows communication between programs on different computers.

On the other hand, Computer Objects (COM) are compiled code that provides services to the system, based on interfaces implemented by its class defined by a globally unique Class ID (CLSID) and accessed remotely with a globally unique identifier (GUID) – AppID. All communication among COM components occurs through interfaces.

The technique involves identifying the vulnerable Windows Installer service, exploiting its COM interface, crafting a malicious DLL containing malicious code, writing the DLL remotely, loading the DLL into a running service process, and executing the code. The attacker gains control over the service, manipulating its functions to remotely interact with it.

The malicious DLL is then loaded into the Windows Installer service, allowing the attacker to execute its code, and granting them remote access to the system. This method is particularly effective against Windows Installer due to its broad system privileges and network accessibility.

The DCOM Upload & Execute attack is powerful but has limitations, researchers noted in the technical blog post. It requires both attacker and victim machines to be within the same domain, restricting its applicability to specific organizational boundaries.

Consistent DCOM Hardening patch statuses can reduce the attack’s effectiveness in environments with varying patch levels. Apart from that, the uploaded payload must be a strongly named .NET assembly and must be compatible with the target machine’s architecture, either x86 or x64, which adds complexity to the attack process.

COM interfaces and tables (Credit: Deep Instinct)

Deep Instinct research discusses IDispatch, a fundamental COM interface that enables scripting languages and higher-level languages to interact with COM objects. However, it is not directly involved in the DCOM Upload & Execute attack due to the IMsiServer interface not implementing IDispatch.

This means that traditional scripting languages like PowerShell cannot directly interact with it using standard techniques. Researchers used lower-level techniques to manipulate the IMsiServer interface and achieve remote code execution by directly calling the interface’s methods and passing necessary parameters.

1.  Voice assistant devices manipulated with ultrasonic waves
2.  Hackers can Downgrade Windows to Exploit Patched Flaws
3.  Electromagnetic Waves Steal Data from Air-Gapped Systems
4.  ‘Matrix’ Hackers Deploy Massive IoT Botnet for DDoS Attacks
5.  Hackers Can Steal Data from Air-Gapped PCs via SATA Cables

New DCOM Attack Exploits Windows Installer for Backdoor Access

The Black Basta ransomware group is using advanced social engineering tactics and a multi-stage infection process to target organizations.

****SUMMARY****

*   **Black Basta Campaign Resurgence:** Rapid7 researchers report a sophisticated social engineering campaign by the Black Basta ransomware group, refining tactics and targeting organizations globally.

*   **Enhanced Tactics:** Attackers use email bombing, impersonation via Microsoft Teams, and tools like QuickAssist and AnyDesk to gain remote access, bypass MFA, and execute malicious payloads.

*   **Malicious Tools:** Threat actors deploy tools like Zbot and DarkGate for credential harvesting, data exfiltration, and persistence before delivering Black Basta ransomware.

*   **Improved Payload Delivery:** Updated techniques include obfuscation with custom packers, DLL execution via rundll32.exe, and advanced evasion strategies.

*   **Mitigation Strategies:** Organizations should adopt stronger password policies, provide security training, and implement advanced defences to mitigate ransomware threats.

Cybersecurity researchers at Rapid7 have released a new report detailing its investigation of a sophisticated social engineering campaign launched by the infamous Black Basta ransomware group (aka UNC4393), threatening organizations worldwide. 

Researchers have observed a resurgence of activity in relation to Black Basta ransomware operators’ currently ongoing social engineering campaign, first reported in May 2024 and updated in August 2024.

The attackers have now refined their early stages procedures, including new malware payloads, improved delivery, and increased defence evasion, with lures sent via Microsoft Teams.

Reportedly, the campaign begins with email bombing in which a series of emails are sent to overwhelm potential victims, typically achieved by signing up users’ emails to multiple mailing lists simultaneously. Attackers impersonate IT support personnel offering assistance and tricking users into granting remote access to their systems. Microsoft Teams is used to establish initial contact whereas Azure/Entra tenant subdomains and custom domains are utilized as account domains.

Potential targets are tricked into installing/executing remote management tools like QuickAssist, AnyDesk, TeamViewer, Level, or ScreenConnect. Threat actors also use the OpenSSH client to establish a reverse shell, or, share a QR code with the user, probably to bypass MFA (multi-factor authentication) after stealing their credentials.

As soon as they gain access, the attackers deploy a range of malicious tools for credential harvesting, lateral movement, and data exfiltration.  A custom packer is used to obfuscate various payloads, including Zbot, and DarkGate, to steal sensitive information and establish persistence on the system. The ultimate goal, however, is to deploy the Black Basta ransomware itself, to encrypt critical data and demand a ransom payment. 

One of the malicious QR codes used by the attackes (Via Rapid7)

For your information, DarkGate is a powerful malicious shellcode that can perform a wide range of malicious actions, including stealing information, establishing persistence, and re-infecting compromised machines by establishing a backdoor.

Zloader/Zbot, conversely, is a sophisticated trojan that steals login credentials, credit card information, and personal data, downloads and executes additional malware payloads, establishes persistence on the infected system and communicates with command-and-control servers.

Compared to Rapid7’s previously detected attacks, researchers noted some similarities and some unique approaches in this campaign:

“Rapid7 has observed usage of the same credential harvesting executable, previously reported as AntiSpam.exe, though it is now delivered in the form of a DLL and most commonly executed via rundll32.exe. Whereas before it was an unobfuscated .NET executable, the program is now commonly contained within a compiled 64-bit DLL loader,” the blog post revealed.

To mitigate the risk of such attacks, organizations must improve their security measures, including implementing stronger password protection mechanisms, regular security awareness training for employees, and advanced security solutions.

1.  **Telecom Gian****t** **BT Group Hit by Black Basta Ransomware**
2.  **Russian Midnight Blizzard Hits MS Teams in Precision Attack**
3.  **Iranian Hackers Target Microsoft 365 with MFA Push Bombing**
4.  **Storm-0324 Exploits MS Teams Chats for Ransomware Attacks**
5.  **Vietnamese DarkGate Malware Targets META Accounts Worldwide**

Black Basta Ransomware Uses MS Teams, Email Bombing to Spread Malware

A critical security flaw in Dell Power Manager has been discovered that could allow attackers to compromise your systems and execute arbitrary code.

****SUMMARY:****

*   **Critical Vulnerability Alert:** Dell Power Manager versions before 3.17 have a high-severity access control flaw (CVE-2024-49600) allowing attackers to gain elevated privileges.

*   **Exploitation Risk:** Attackers with local access can execute arbitrary code, bypass security measures, and compromise system confidentiality, integrity, and availability.

*   **Software Update:** Dell has released Power Manager version 3.17 to address this vulnerability; users should update immediately as no workaround is available.

*   **Vulnerability Discovery:** The flaw was identified and responsibly disclosed by TsungShu Chiu from CHT Security.

*   **Dell’s Recent Breaches:** Dell faced multiple data breaches in September 2024, exposing sensitive information of employees and projects, further emphasizing the need for robust security measures.

Dell has issued a critical security alert (DSA-2024-439) regarding an Improper Access Control vulnerability discovered in its Power Manager software. This vulnerability, identified as CVE-2024-49600, could potentially allow attackers to execute malicious code and gain elevated privileges on affected systems. The vulnerability affects versions of Dell Power Manager released before 3.17.

For your information, Dell Power Manager is a software widely used to manage power settings on Dell systems. This application extends system battery life and provides customizable battery maintenance settings. It also alerts users about power adapter, battery, docking, and USB Type-C device incompatibility.

The vulnerability occurs from improper access control within the software, making it exploitable by low-privileged users with local access. Attackers can bypass security measures, execute arbitrary code, and gain unauthorized access to sensitive system functions. The severity of this vulnerability is rated as high, with a CVSS Base Score of 7.8.

If exploited, it could lead to significant security risks to compromised systems, jeopardizing their confidentiality, integrity, and availability. Execution of arbitrary code can lead to malware installation, data theft, or system compromise, and gaining higher-level system privileges would enable unauthorized actors to perform actions that were otherwise restricted. 

Dell has released an updated version of Power Manager (version 3.17) that addresses the vulnerability. Users are strongly advised to update their software immediately to protect their systems as no workaround is currently available.

“Dell Technologies highly recommends applying this important update as soon as possible. The update contains critical bug fixes and changes to improve functionality, reliability, and stability of your Dell system,” the advisory read.

TsungShu Chiu from CHT Security identified this vulnerability and responsibly disclosed it to Dell Technologies, which in turn acknowledged and appreciated Chiu’s efforts. 

Dell has been in the news for all the wrong reasons lately. Hackread.com recently reported a series of Dell data breaches involving the exposure of sensitive information. Between 19 and 24 September 2024, a hacker, known as “grep,” was revealed to have breached Dell thrice (once with fellow hacker “Chucky”) stealing confidential data related to Jira files, database tables, and schema migrations, totalling 3.5 GB of uncompressed data, data for 10,863 employees, and approximately 500 MB of sensitive data, including project documents and Multi-Factor Authentication (MFA) data.

1.  **Dell resets all customer passwords after security breach**
2.  **Critical Vulnerabilities Found in Pre-Installed Dell Software**
3.  **8 Million Employee Records from Amazon, HP, Others Leaked**
4.  **30M Dell devices at risk by BIOSConnect code execution bugs**
5.  **Flashpoint Uncovers 100,000+ Hidden Flaws, Including Zero-Days**

Dell Urges Immediate Update to Fix Critical Power Manager Vulnerability

SUMMARY Zimperium’s zLabs has shared its latest research with Hackread.com, ahead of its publishing on December 10. According…

****SUMMARY****

*   **AppLite Trojan:** A new, stealthy banking trojan targeting Android devices, capable of stealing banking credentials, crypto wallets, and sensitive data.

*   **Phishing Campaign:** Delivered via fake job offer emails mimicking HR teams from reputable companies, tricking victims into downloading malware.

*   **Advanced Capabilities:** AppLite intercepts SMS, logs keystrokes, captures screenshots, and bypasses two-factor authentication.

*   **Evasion Tactics:** Employs obfuscation, dynamic behavior changes, and command-and-control updates to avoid detection.

*   **Safety Measures:** Avoid suspicious links, download apps only from trusted sources, and keep devices updated with strong security protocols.

Zimperium’s zLabs has shared its latest research with _Hackread.com_, ahead of its publishing on December 10. According to their research, millions of job seekers are unknowingly falling victim to a new wave of mobile-targeted phishing (mishing) campaign. Report author Vishnu Pratapagiri explained that cybercriminals are targeting individuals seeking new opportunities by sending fraudulent emails disguised as job offers from HR teams at well-known companies.

This highly sophisticated mobile phishing campaign involves distributing a new variant of the dangerous Antidot banking trojan. This new strain, dubbed AppLite by Zimperium researchers, targets unsuspecting victims through cleverly crafted job offer emails. 

Further probing reveals that AppLite is a particularly dangerous variant of the Antidot banking trojan. It’s designed to target mobile devices, primarily Android, and can steal sensitive information, including banking credentials and cryptocurrency wallet details.

For your information, in March 2024, Cyble researchers discovered an Android malware strain called “Antidot,” which disguised itself as a fake Google update and distributed through phishing campaigns, including SMSishing. Once installed, it stole sensitive banking information.

The attack begins with a well-crafted phishing email that mimics a job offer from a reputable company sent by the attackers posing as legitimate recruiters or HR representatives from the organization. Victims are tricked into visiting a legitimate job application page and downloading a seemingly harmless application, which acts as a dropper for the actual malware. 

The malicious email (left) – The phishing site used in the attack (Via Zimperium)

“In a subsequent communication, the threat actors direct victims to download a purported CRM Android application. While appearing legitimate, this application functions as a malicious dropper, facilitating the deployment of the primary payload onto the victim’s device,” researchers noted.

When this malicious app is installed, it secretly downloads and installs the AppLite trojan, which then requests extensive permissions, including Accessibility Services to get full control over the device.

AppLite’s capabilities are extensive. It can intercept SMS messages, log keystrokes, capture screenshots, and even control the device’s camera and microphone. It can also intercept two-factor authentication codes and steal sensitive information from banking and cryptocurrency apps.

Attack flow (Via Zimperium)

The malware’s developers have implemented several techniques to evade detection. It uses obfuscation techniques to hide its malicious code and can modify its behaviour to adapt to different security measures. Additionally, it leverages a command-and-control server to receive updates and instructions from the attackers.

To stay safe, it is crucial to stay cautious when downloading apps, especially from unknown sources. Be wary of unsolicited emails and messages, and avoid clicking on suspicious links or downloading attachments. Keep your device’s operating system and security software up-to-date, and enable strong password protection and two-factor authentication.

Hackers Target Job Seekers with AppLite Trojan Using Fake Job Emails

The Digital Operational Resilience Act (DORA) sets strict EU rules for financial institutions and IT providers, emphasizing strong…

The Digital Operational Resilience Act (DORA) sets strict EU rules for financial institutions and IT providers, emphasizing strong cyber risk management, reporting, red teaming, and testing by 2025.

The Digital Operational Resilience Act (DORA) is a set of EU rules around how companies handle disruptions. Each half-decade, digital security requirements seem to ramp up, and the EU is a big part of these growing demands. 

Financial entities need to now demonstrate a new approach to risk management, with January 2025 being when the new framework kick starts. It will govern banks, insurers, investment firms, and other financial companies. Third-party IT providers face similar scrutiny, too.

One fallout from this is that security validation through red teaming has become more important than ever. But before looking at how these assessments mirror actual cybersecurity threats, let’s dig into the DORA requirements.

****DORA Requirements****

DORA’s framework can be split into five elements, with IT risk management leading these pillars. Institutions ultimately need clear protocols to spot, block, and tackle cyber threats. Strong governance isn’t optional, of course, and written strategies must exist.

Quick incident reporting has more emphasis than before. Major IT issues require prompt notification to authorities, and financial entities must undergo threat-led testing. Service providers can’t escape oversight, as they ought to match the institution’s resilience standards.

Testing protocols demand thoroughness, and networks need assessment. Vulnerabilities require identification so that security plans can evolve. DORA ultimately pushes for constant vigilance and enhancement of protective measures.

****What is Red Teaming?****

To understand how red teaming helps, let’s quickly run through what it is. Red teaming is when expert professionals replicate sophisticated attack patterns, so it transcends basic checks. They even blend technical expertise with social manipulation, and physical security falls within this scope.

Teams will combine diverse talents so that a broad mix of skills is weaponised. Some focus on network penetration, while others excel at social engineering. Threat analysts tie this all together, and unexpected scenarios are launched. No warnings precede their attempts, either, so it creates genuine challenge conditions.

****How Red Teaming Aligns with DORA Requirements****

This methodology happens to precisely align with DORA’s testing demands, proving operational resilience through action – not documents. 

Under DORA, financial firms must conduct regular attack exercises. The first two must be done internally, but the third must be by an external red teaming expert.

DORA also mandates purple teaming, which is a collaboration between red teams and the defenders (blue team) to boost the response capabilities.

Teams probe critical functions systematically and exploit complex attack chains. Supply chain vulnerabilities emerge clearly.

Documentation flows naturally as a result, with each attack path generating new evidence. Organizations gain compliance proof while strengthening defenses and incident response procedures improve through practical application.

****Benefits of Red Teaming****

Red teaming delivers substantial benefits for financial firms seeking DORA compliance by providing a comprehensive evaluation of their security posture. This proactive approach helps identify and remediate vulnerabilities that might otherwise remain undetected through conventional testing.

The methodology isn’t only for DORA – it existed long before these new EU rules. This is because it strengthens incident response procedures by testing them under realistic conditions, and this methodology dates back decades.

Red teaming exercises also help validate the effectiveness of security investments and demonstrate due diligence to regulators. 

****Final Word****

Red teaming delivers vital DORA compliance support, but it ultimately proves one’s security capabilities through rigorous testing. Documentation satisfies regulatory requirements naturally, and as 2025 approaches, this methodology is becoming increasingly valuable.

1.  Best Paid and Free OSINT Tools for 2024
2.  Vulnerability Risk Management for External Assets
3.  Russia Hackers Abusing BRc4 Red Team Penetration Tool
4.  What is Stakeholder-Specific Vulnerability Categorization?
5.  Features of Cybersecurity Management Software for MSPs

How Red Teaming Helps Meet DORA Requirements

Summary Cybersecurity researchers have identified a large-scale hacking operation linked to notorious ShinyHunters and Nemesis hacking groups. In…

**Summary**

*   **Large-Scale Hacking Operation Uncovered**: Researchers link ShinyHunters and Nemesis to an operation exploiting millions of websites to steal over 2 terabytes of sensitive data.

*   **Sophisticated Tools and Tactics**: Hackers used Python, PHP, AWS IP ranges, and tools like ffuf, httpx, and Shodan to automate and expand their exploitation across regions.

*   **Collaborative Mitigation Efforts**: Researchers worked with the AWS Fraud Team to notify affected users, implement mitigation measures, and identify individuals involved in selling stolen data on Telegram.

*   **Critical Discovery in Misconfigured S3 Bucket**: An open S3 bucket used by the hackers exposed their stolen data, tools, and even potential identities, offering a unique glimpse into their operations.

*   **Call for Stronger Cybersecurity Practices**: The incident shows the need for proper configurations to protect cloud environments and prevent such large-scale breaches.

Cybersecurity researchers have identified a large-scale hacking operation linked to notorious ShinyHunters and Nemesis hacking groups. In this operation, hackers exploited vulnerabilities in millions of websites and took advantage of misconfiguration to access sensitive information including customer data, infrastructure credentials, and proprietary source code.

According to Noam Rotem and Ran Locar, two independent researchers who conducted this research, these attacks were carried out from a French-speaking country. It is worth noting that one of the ShinyHunters members Le Français Sébastien Raoult (aka Sezyo Kaizen), a France national, was arrested in Morocco back in July 2022. In January 2024, he was sentenced in the US to three years in prison. However, after spending less than a year, the hacker returned to France just last week.

****Tools and Tricks****

In their report for vpnMentor, researchers explained that the hackers were able to extract critical keys and secrets, which provided them with access to valuable data including application databases. The operation utilised several scripting languages, including Python and PHP, alongside specialized tools like ffuf and httpx, to automate the exploitation process.

Furthermore, the hackers used publicly available AWS IP address ranges to search millions of targets. They also used Shodan, a search engine for internet-connected devices, to perform reverse lookups and identify domain names associated with the discovered IPs. This method especially expanded their reach, allowing them to find and exploit numerous endpoints across different regions.

Researchers then collaborated with the AWS Fraud Team to implement mitigation measures and notify affected customers. The investigation also identified the names and contact information of some individuals behind the incident, assisting in further actions against the culprits who are selling their stolen data in dedicated Telegram channels for hundreds of Euros per breach.

The breach led to the theft of over 2 terabytes of data, including AWS customer keys and secrets that allowed access to various AWS services, as well as database and Git credentials, exposing source code and sensitive databases. SMTP and SMS credentials were also stolen, enabling attackers to send phishing emails and spam messages.

Moreover, cryptocurrency wallets and trading platform credentials were compromised, granting access to digital assets and trading accounts, alongside social media and email accounts, jeopardizing personal and business communications.

****Link to ShinyHunters and Nemesis Groups****

Investigations traced the infrastructure of this operation back to the ShinyHunters and Nemesis hacking groups because the tools and scripts used by the attackers held similarities to those previously associated with ShinyHunters, a group known for breaches at major companies like Ticketmaster, AT&T, Mashable and many more. The group also owned and administrated the notorious cybercrime and data breach forum Breach Forums for a while.

Additionally, the now-seized Nemesis Blackmarket was identified as a marketplace where the stolen credentials and access keys were being sold, often fetching hundreds of Euros per breach on platforms like Telegram.

Attack Flaw (Via: vpnMentor)

****Hackers Exposed Their AWS Bucket While Hunting Exposed Databases****

One critical discovery was an open Amazon S3 bucket used by the attackers to store harvested data. This bucket acted as a shared storage space, mistakenly left unsecured by its owner, facilitating the easy collection and distribution of stolen information.

> _“The discovery provided a glimpse into the operations of a large-scale web-scanning operation, the code used by the attackers, and even the potential identities of the people behind it. Data harvested from the victims was stored in an S3 bucket, which was left open due to a misconfiguration by its owner. The S3 bucket was being used as a “shared drive” between the attack group members, based on the source code of the tools used by them. These tools are documented in French and signed by “Sezyo Kaizen”._
> 
> Researchers

Jim Routh, Chief Trust Officer at Saviynt, emphasized the scale and technical prowess of these criminal groups stating, “ShinyHunters and Nemesis represent highly organized cybercriminal syndicates operating on a large scale for profit. They exploit vulnerabilities in cloud services, often taking advantage of enterprises that may not fully understand the complexities and security controls of cloud environments. The range of targeted information, from credentials and cryptocurrency wallets to source code and cloud account secrets, shows their broad and opportunistic approach.”

Routh also highlighted the irony that the attackers themselves made a critical mistake by leaving an AWS S3 bucket open, which ultimately led to the detection of their activities.

Nevertheless, this incident shows why proper configuration and implementing cybersecurity practices are important to protect your online infrastructure. It will be interesting to see if the details shared by researchers with authorities lead to arrests or further revelations about the individuals involved in the hacking spree.

1.  **ShinyHunters Leak 33M Twilio Authy Phone Numbers**
2.  **Canada Arrests Hacker Linked to Snowflake Data Breaches**
3.  **ShinyHunters’ Santander Bank Breach: 30M User Data for Sale**
4.  **ALBeast: Misconfiguration Flaw Exposes 15k AWS Load Balancers**
5.  **Hacker in $3 Billion SSN Leak Reveals Himself as Brazilian Citizen**

ShinyHunters, Nemesis Linked to Hacks After Leaking Their AWS S3 Bucket

Protect your systems with automated patching and server hardening strategies to defend against vulnerabilities like the NTLM zero-day.…

Protect your systems with automated patching and server hardening strategies to defend against vulnerabilities like the NTLM zero-day. Stay proactive and secure your business.

A newly discovered Windows zero-day vulnerability exposes users across multiple Windows versions to credential theft. Discovered by 0patch researchers, this critical security flaw allows attackers to steal NTLM credentials through a deceptive yet simple method.

****What Makes This Vulnerability Dangerous?****

**Widespread Impact**

The vulnerability affects a wide range of Windows systems, including:

*   Windows Server 2022
*   Windows 11 (up to v24H2)
*   Windows 10 (multiple versions)
*   Windows 7 and Server 2008 R2

**Exploitation Mechanism**

Technical details of the vulnerability are withheld to minimize exploitation risk until Microsoft issues a fix to minimize any further risk of exploitation. 

The vulnerability enables attackers to steal a user’s NTLM credentials by luring them into opening a malicious file in Windows Explorer.

Attackers can trigger the vulnerability through minimal user interaction:

*   Opening a shared folder
*   Accessing a USB disk
*   Simply viewing a malicious file in Windows Explorer
*   Accessing the Downloads folder with a strategically placed file

****The Broader Context of Unpatched Vulnerabilities****

This isn’t an isolated incident. The same research team has previously identified multiple unresolved Windows vulnerabilities, including:

*   Windows Theme file issue
*   “Mark of the Web” vulnerability
*   “EventLogCrasher” vulnerability
*   Three NTLM-related vulnerabilities (PetitPotam, PrinterBug/SpoolSample, and DFSCoerce)

****0patch Micropatches****

0patch is offering a free micropatch for the latest NTLM zero-day to all users registered on its platform until Microsoft releases an official fix. The security micropatch has already been automatically deployed to PRO and Enterprise accounts, except in cases where configurations explicitly block automatic updates.

“The impact on enterprises using outdated and legacy infrastructure is more significant than the simple impact on operating costs, said Jim Routh,” Chief Trust Officer at cybersecurity company Saviynt. “In this case, the obsolete authentication application (NTLM) from MS enables threat actors to steal Windows credentials potentially compromising customer experience.”

****Focusing on the proactive approach****

Automated patch management, like the protection provided to PRO and Enterprise accounts through 0patch, is a great start, but organizations need to do more. Implementing strong server-hardening strategies can add multiple layers of defence by setting consistent security configurations across all systems.

This proactive approach goes beyond simply reacting to vulnerabilities, helping businesses stay protected against threats like the recent NTLM zero-day vulnerability.

1.  Hackers Use Excel Files for Remcos RAT Variant on Windows
2.  Godot Engine Exploited for Malware on Windows, macOS, Linux
3.  Windows SmartScreen Flaw Enabling Data Theft in Stealer Attack
4.  Windows Vulnerable to Command Injection via “BatBadBut” Flaw
5.  Russian Hackers Exploit Firefox and Windows 0-Days for Backdoor

Source

HackRead